Team-scoped keys introduce the ability to restrict your token authentication keys to either development or production environments. Topic-specific keys in addition to environment isolation allow you to associate each key with a specific Bundle ID streamlining key management. For detailed instructions on accessing these features, read our updated documentation on establishing a token-based connection to APNs.

the email say this notification type will be available to you in production beginning May 27, 2025, and you can test it in sandbox now. but i didn't receice this notification yet

I try to use CoreBluetooth api on my cus app on vision os. I could connect to two devices on my app, but couldn’t with 3 or more device. Despite connecting the third device using this api, the function does not return anything. When two devices are connected on bluetooth setting, I see the same situation on my custom app. However, I could connect 3 or more devices on the default blu setting. Is there anyone who has similar problem?

I recently needed to develop an application to obtain the window list, which requires Screen Recording permissions. Apple's official documentation mentions using the two functions CGPreflightScreenCaptureAccess and CGRequestScreenCaptureAccess to request permissions. These functions are stated to be available since version 10.15. However, when I used these two functions on a device running macOS 10.15.7, I encountered the errors shown in the attached screenshot. I used the nm tool to inspect the symbols in the CoreGraphics.framework and found that these two functions were not present. Could you help me understand why this is happening?

I have been working on updating an old app that makes extensive use of Objective-C's NSTask. Now using Process in Swift, I'm trying to gather updates as the process runs, using readabilityHandler and availableData. However, my process tends to exit before all data has been read. I found this post entitled "Running a Child Process with Standard Input and Output" but it doesn't seem to address gathering output from long-running tasks. Is there a straightforward way to gather ongoing output from a long running task without it prematurely exiting?

I'm experiencing issues with didRegisterForRemoteNotificationsWithDeviceToken not being called on iOS 18.1.1. Here's what I've tried: Basic Setup: Properly configured UNUserNotificationCenter Requested permissions with requestAuthorization(options:) Registered for remote notifications with registerForRemoteNotifications() Environment: Xcode 16.3 iOS 18.1.1 (physical device) Firebase (tried with and without it) Troubleshooting: Verified provisioning profile includes Push Notifications Confirmed APNs certificate is valid Disabled Firebase's method swizzling Tested on a clean project (works fine) Checked device logs (no relevant errors) Code Snippet: // In AppDelegate.swift public func application(_ application: UIApplication, didRegisterForRemoteNotificationsWithDeviceToken deviceToken: Data) { let tokenParts = deviceToken.map { data in String(format: "%02.2hhx", data) } let tokenString = tokenParts.joined() print("📱 Device Token: \(tokenString)") // Store the token for your backend UserDefaults.standard.set(tokenString, forKey: "deviceToken") // Send to backend Task { do { try await APIService.shared.setDeviceToken(tokenString) } catch { print("❌ [AppDelegate] Failed to send device token to backend: \(error)") } } } public func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]? = nil) -> Bool { // IMPORTANT: First handle push notification registration UNUserNotificationCenter.current().delegate = self // Request notification permissions self.requestNotificationPermissions() // Register for remote notifications DispatchQueue.main.async { UIApplication.shared.registerForRemoteNotifications() } return true } private func requestNotificationPermissions() { UNUserNotificationCenter.current().requestAuthorization(options: [.alert, .badge, .sound]) { granted, error in guard granted else { print("❌ Notification permission not granted") return } print("✅ Notification permission granted") } }

Recently, while developing a network extension on macOS, I encountered a very interesting issue. When the App Sandbox entitlement is included, the NE (Network Extension) can be called and run normally. However, when the App Sandbox is removed, with everything else remaining unchanged, an error occurs. The logs are as follows: Failed to find an app extension with identifier app.acmeVpnM.extension and extension point com.apple.networkextension.packet-tunnel: (null) Found 0 registrations for app.acmeVpnM.extension (com.apple.networkextension.packet-tunnel) If you add app sandbox, it will run normally. this is my container app entitlement this is my NE extension (without App SandBox) I want to know the reason for this. App sandbox shouldn't be mandatory. How can I make my NE run in an environment without app sandbox?

Hi Apple engineering team, I contacted Developer Support regarding the status of our entitlements request, and they recommended that I post here for visibility. It’s been just over two weeks since we submitted the request, and we haven’t received any updates yet. We understand these requests can take time, but it’s unclear what the typical timeline looks like or if there’s any way to check on the progress. Is there a way to get an update or better understand where we are in the process? We’re trying to plan our release and would really appreciate any guidance on what to expect. Thanks in advance for your help.

I am creating an app that uses critical messages, I have been granted this entitlement and I am adding the certificate and in the info.plist. In the app I request authorization to send messages to specific numbers. When I try the app in production from Xcode this works fine and I can send the critical messages. However, when I am using the app in the test flight the authorization does not seem to be remembered on the background. Moreover, I go to security/privacy settings and I grant permission to the selected number (I see that it only shows one number even when I have to granted, its like it removes the previous one) however when I exit the setting page the permission is reset (and therefore denied), I think this is a bug. Can you look into that. Both this removing granted permission (HIGH PRIORITY, this message can only be sent in the background, therefore the user can not grant it and why the maximum telephone number to be granted to send messages is reset also to a single one LOWER PRIORITY). Thanks

I can't access the CloudKit Console. It started to be unresponsive for hours today. It looks like sync'ing is still working, but I would like to reset the environment during my development! Is it possible to control CloudKit Console using the command line?

I have a 4-input, 4-output hardware device and an 8-input, 8-output virtual device, which I combine into an aggregate device. I am using the SimplyCoreAudio library to get the channel count. The code is as follows: aggregationDevice!.channels(scope: .input) =>> 12 aggregationDevice!.channels(scope: .output) =>> 12 When the program's MicrophoneMode is set to standard, the channel count is correct. However, when I set the MicrophoneMode to voiceIsolation, the channel count is incorrect: aggregationDevice!.channels(scope: .input) =>> 4 aggregationDevice!.channels(scope: .output) =>> 12 Below is the code for creating the aggregate device： func createAggregateDevice(mainDevice: AudioDevice, secondDevice: AudioDevice?, named name: String, uid: String) -> AudioDevice? { guard let mainDeviceUID = mainDevice.uid else { return nil } var deviceList: [[String: Any]] = [ [ kAudioSubDeviceUIDKey: mainDeviceUID, kAudioSubDeviceDriftCompensationKey:1 ] ] // make sure same device isn't added twice if let secondDeviceUID = secondDevice?.uid, secondDeviceUID != mainDeviceUID { deviceList.append([ kAudioSubDeviceUIDKey: secondDeviceUID, kAudioSubDeviceDriftCompensationKey:1, kAudioSubDeviceInputChannelsKey:8 ]) } let desc: [String: Any] = [ kAudioAggregateDeviceNameKey: name, kAudioAggregateDeviceUIDKey: uid, kAudioAggregateDeviceSubDeviceListKey: deviceList, kAudioAggregateDeviceMainSubDeviceKey: mainDeviceUID, kAudioAggregateDeviceIsPrivateKey:false, ] var deviceID: AudioDeviceID = 0 let error = AudioHardwareCreateAggregateDevice(desc as CFDictionary, &deviceID) guard error == noErr else { return nil } return AudioDevice.lookup(by: deviceID) } I hope someone can tell me the reason Thank you！

Hi, We're in the process of following Apple’s guidance on transitioning away from Packet Filter (pf) and migrating to a Network Extension-based solution that functions as a firewall. During this transition, we've encountered several limitations with the current Content Filter API and wanted to share our findings. Our VPN client relies on firewall functionality to enforce strict adherence to split tunneling rules defined via the routing table. This ensures that no traffic leaks outside the VPN tunnel, which is critical for our users for a variety of reasons. To enforce this, our product currently uses interface-scoped rules to block all non-VPN traffic outside the tunnel. Replicating this behavior with the Content Filter API (NEFilterDataProvider) appears to be infeasible today. The key limitation we've encountered is that the current Content Filter API does not expose information about the network interface associated with a flow. As a workaround, we considered using the flow’s local endpoint IP to infer the interface, but this data is not available until after returning a verdict to peek into the flow’s data—at which point the connection has already been established. This can result in connection metadata leaking outside the tunnel, which may contain sensitive information depending on the connection. What is the recommended approach for this use case? NEFilterPacketProvider? This may work, but it has a negative impact on network performance. Using a Packet Tunnel Provider and purely relying on enforceRoutes? Would this indeed ensure that no traffic can leak by targeting a specific interface or by using a second VPN extension? And more broadly—especially if no such approach is currently feasible with the existing APIs—we're interpreting TN3165 as a signal that pf should be considered deprecated and may not be available in the next major macOS release. Is that a reasonable interpretation?

Hello Devs, I'm encountering a persistent INTERNAL_ERROR (HTTP 500) when making Server-to-Server API calls to CloudKit, specifically when trying to hit the /users/current endpoint, even after meticulously verifying all client-side components. I'm hoping someone might have insight into what could cause this. Context: Goal: Authenticate to CloudKit from a Vercel Serverless Function (Node.js) to perform operations like record queries. Problem Endpoint: POST https://api.apple-cloudkit.com/database/1/iCloud.com.dannybaseball.Danny-Baseball/production/public/users/current Key Generation Method: Using the CloudKit Dashboard's "Tokens & Keys" -> "New Server-to-Server Key" flow, where I generate the private key using openssl ecparam -name prime256v1 -genkey -noout -out mykey.pem, then extract the public key using openssl ec -in mykey.pem -pubout, and paste the public key material (between BEGIN/END markers) into the dashboard. The private key was then converted to PKCS#8 format using openssl pkcs8 -topk8 -nocrypt -in mykey.pem -out mykey_pkcs8.pem. Current Setup Being Tested (in a Vercel Node.js function): CLOUDKIT_CONTAINER: iCloud.com.dannybaseball.Danny-Baseball CLOUDKIT_KEY_ID: 9368dddf141ce9bc0da743b9f69bc3eda132b9bb3e62a4167e428d4f320b656e (This is the Key ID generated from the CloudKit Dashboard for the public key I provided). CLOUDKIT_P8_KEY (Environment Variable): Contains the base64 encoded string of the entire content of my PKCS#8 formatted private key file. Key Processing in Code: const p8Base64 = process.env.CLOUDKIT_P8_KEY; const privateKeyPEM = Buffer.from(p8Base64, 'base64').toString('utf8'); // This privateKeyPEM string starts with "-----BEGIN PRIVATE KEY-----" and ends with "-----END PRIVATE KEY-----" const privateKey = crypto.createPrivateKey({ key: privateKeyPEM, format: 'pem' }); // This line SUCCEEDS without DECODER errors in my Vercel function logs. Use code with caution. JavaScript Request Body for /users/current: "{}" Signing String (message = Date:BodyHash:Path): Date: Correct ISO8601 format (e.g., "2025-05-21T19:38:11.886Z") BodyHash: Correct SHA256 hash of "{}", then Base64 encoded (e.g., "RBNvo1WzZ4oRRq0W9+hknpT7T8If536DEMBg9hyq/4o=") Path: Exactly /database/1/iCloud.com.dannybaseball.Danny-Baseball/production/public/users/current Headers: X-Apple-CloudKit-Request-KeyID: Set to the correct Key ID. X-Apple-CloudKit-Request-ISO8601Date: Set to the date used in the signature. X-Apple-CloudKit-Request-SignatureV1: Set to the generated signature. X-Apple-CloudKit-Environment: "production" Content-Type: "application/json" Observed Behavior & Logs: The Node.js crypto.createPrivateKey call successfully parses the decoded PEM key in my Vercel function. The request is sent to CloudKit. CloudKit responds with HTTP 500 and the following JSON body (UUID varies per request): { "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "serverErrorCode": "INTERNAL_ERROR" } Use code with caution. Json This happens consistently. Previously, with other key pairs or different P8 processing attempts, I was getting AUTHENTICATION_FAILED (401) or local DECODER errors. Now that the key parsing is successful on my end with this current key pair and setup, I'm hitting this INTERNAL_ERROR. Troubleshooting Done: Verified Key ID (9368dddf...) is correct and corresponds to the key generated via CloudKit Dashboard. Verified Container ID (iCloud.com.dannybaseball.Danny-Baseball) is correct. Successfully parsed the private key from the environment variable (after base64 decoding) within the Vercel function. Meticulously checked the signing string components (Date, BodyHash, Path) against Apple's documentation. Path format is /database/1////. Ensured all required headers are present with correct values. Local Node.js tests (bypassing Vercel but using the same key data and signing logic) also result in this INTERNAL_ERROR. Question: What could cause CloudKit to return an INTERNAL_ERROR (500) for a /users/current request when the client-side key parsing is successful and all request components (path, body hash for signature, date, headers) appear to conform exactly to the Server-to-Server Web Services Reference? Are there any known subtle issues with EC keys generated via openssl ecparam (and then converted to PKCS#8) that might lead to this, even if crypto.createPrivateKey parses them in Node.js? Could there be an issue with my specific Key ID or container that would manifest this way, requiring Apple intervention? Any insights or suggestions would be greatly appreciated. I can provide more detailed logs of the request components if needed. Thank you!

hi, I have offered to help port a custom debug tool that "revives" a process from a core file. It currently works on Linux and Windows and I would like to help port it to macOS. On Linux, prelink is used to load a dynamic library at a specific addrress (to match its location in corefile). On Windows, editbin is used. Is there an off the shelf tool that loads a dylib on macOS at a specified address? I tried to research this topic and I see: dylibs on macOS are position independent, though apparently it is possible to build a position dependent lib (but the note doesn't say how) there is a slide value that adjust base address of a dylib (but I can not find much actual info on how exactly to use it) prebinding (deprecated?) I feel like I am starting to veer off into fun topics, like dylib hijacking and implementing custom dylib loaders (DyldDeNeuralyzer). As much as I enjoy going off main path sometimes, can someone help set me back on the main path? thanks!

In general my workout app is reachable from the iPhone when running a workout, even if in the background. However if the watch app restarts (due to crash or being closed via the dock) via handleActiveWorkoutRecovery then it is only reachable when in the foreground, even though a workout is running. Is this expected / desired behaviour? Is the app given a tighter sandbox (having it's "background privileges" reduced) because of the earlier crash? This behaviour occasionally happens without a crash (or being closed via the dock) - all of a sudden it is no longer reachable via the iPhone. It feels like the app is being "sandboxed" like in #1 but there is no crash or any other kind of log indicating any issue. Generally the only remedy is to stop the workout and restart the app. My question is - is this expected? Is there some condition that causes the watchOS to sandbox the app? Or is this a Watch Connectivity bug?

A message filter extension is only forwarded SMSs by the OS for filtering, iMessages aren't. But what is the situation with RCS messages? Will they be filterable by a message filtering extension?

Hi Apple engineering team, I’m trying to integrate the new Live Caller ID Lookup (PIR) on iOS using your pir-service-example code as well as a custom mock server in Vapor, but the extension never advances past the /issue/token-key-for-user-token step. I’ve tried both: 1. Official Example Cloned https://github.com/apple/pir-service-example Ran PIRService locally Confirmed that GET /.well-known/private-token-issuer-directory → 200 GET /issue/token-key-for-user-token → 200 (DER bytes, correct SPKI) No POST /issue ever fires 2. Mock Server (Vapor) Implemented all five endpoints (/config, /.well-known/private-token-issuer-directory, /issue/token-key-for-user-token, /issue, /queries) Verified with curl and openssl asn1parse that: GET /.well-known/private-token-issuer-directory Content-Type: application/private-token-issuer-directory { "issuer-request-uri":"https://…/issue", "token-keys":[…] } GET /issue/token-key-for-user-token Content-Type: application/octet-stream <DER bytes> Added Cache-Control: public, max-age=3600 on directory and SPKI Stubbed POST /issue to always return { "token": "" } Still no POST /issue request from the extension Reproduction Steps Install and enable a Live Lookup extension pointing to my server. Trigger an incoming call on device. Watch server logs—only see the two GETs, never /issue or /queries. Expected Behavior After fetching the SPKI DER, the framework should issue a POST /issue call (Privacy Pass flow) and then POST /queries. Observed Behavior Stuck in an infinite loop of: GET /.well-known/private-token-issuer-directory GET /issue/token-key-for-user-token (repeat…) No progression to the /issue or /queries endpoints. What I’ve Tried Verified JSON kebab-case and headers exactly match examples Confirmed SPKI DER is valid via openssl asn1parse Added Cache-Control headers Tested on real device, localhost url, and ngrok public URL Mocked a valid-looking token response Could you advise what additional requirement or format detail I’m missing that prevents from advancing past /issue/token-key-for-user-token? These are the main files: LiveLookupExtension.swift routes.swift service-config.json Thanks in advance!

I am seeing a really weird behavior with Live Activities. The Live Activity is always appearing on the simulator. However the Live Activity is only appearing on my physical device when there is no other widget in the widget bundle shown below. @main struct HoerspielWidgetsBundle: WidgetBundle { var body: some Widget { // Uncomment the line below and the Live Activity will no longer appear // UpNextWidget() PlaybackLiveActivity() } } Annotating that var with @WidgetBundle has no effect. There are no logs indicating an error, the function to request a Live Activity does not throw and the status of the activity is active. Both the widget and the Live Activity are working fine otherwise. NSSupportsLiveActivities is set to true in the correct Info.plist file. I am not running any beta software and the physical iPhone is on the newest version (iOS 18.5). Using the template when adding a new target in Xcode, I was able to set up a similar app where the Live Activity works as expected. I am really at a loss here which additional information I should provide or how this issue can be resolved. Thank you for your help.

Hello, I have encountered an issue with an iPhone 15PM with iOS 18.5. The NSHTTPCookieStorage failed to clear cookies, but even after clearing them, I was still able to retrieve them. However, on the same system It is normal on iPhone 14PM. I would like to know the specific reason and whether there are any adaptation related issues. Following code: NSHTTPCookie *cookie; NSHTTPCookieStorage *storage = [NSHTTPCookieStorage sharedHTTPCookieStorage]; for (cookie in [storage cookies]) { [storage deleteCookie:cookie]; }

Is there a delay or problem at the OS end during subsequent jack connections if IOS is running a Bluetooth and beacon connection and it stays without a connection for a few hours?

Recently, we have observed that after upgrading to OS 15.4.1, some devices are experiencing network issues. We are using a Network Extension with a transparent app proxy in our product. The user encounters this issue while using our client, but the issue persists even after stopping the client app. This appears to be an OS issue. Below is the sytem logs. In the system logs, it says [C669.1 Hostname#546597df:443 failed transform (unsatisfied (No network route), flow divert agg: 2)] event: transform:children_failed @0.001s In scutil --dns, it says not reachble. DNS configuration resolver #1 flags : reach : 0x00000000 (Not Reachable) resolver #2 domain : local options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300000 resolver #3 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300200 resolver #4 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300400 resolver #5 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300600 resolver #6 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 300800 resolver #7 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : reach : 0x00000000 (Not Reachable) order : 301000 We need to restart the system to recover from the issue.